Skip to main content
Legal

Privacy policy

Effective 2026-04-26. This is a placeholder you'll replace with the version your legal team signs off before public launch — the structure is here so the rest of the product can link to it now.

Who we are

Freyaa is a multi-tenant sports facility management platform. Each club operates as a separate data controller for its own members; Freyaa operates as the processor and provides the platform. A signed Data Processing Agreement (DPA) sits behind every subscription.

What we collect

  • Account data (email, name, optional phone) — required to sign you in
  • Booking history, tournament registrations, attendance records
  • Payment metadata (Stripe handles the card data; we hold reference IDs only)
  • Audit log entries for changes you make
  • IP address + user-agent on auth events for security forensics
  • Cookie consent decisions

Why we collect it

Bookings, billing, and audit logging are processed under contract. Authentication and security logs are processed under legitimate interest. Marketing or analytics cookies are processed under consent only — you control them via the banner and can revoke at any time from your profile.

Your rights

You can:

  • Download everything we hold on you — go to /profile and click "Download my data".
  • Erase your account — same page, "Delete my account". This anonymises your records (we cannot fully delete payment-related rows owing to HMRC's 6-year retention requirement; everything else is scrubbed).
  • Correct mistakes — edit your profile directly.
  • Withdraw cookie consent — see the small "Cookies" link in the page footer.
  • Lodge a complaint with your supervisory authority. In the UK that's the ICO at ico.org.uk.

Sub-processors

The platform relies on these sub-processors. Each has a DPA in place; the list updates when the architecture changes.

  • Vercel — hosting
  • Neon (EU) — Postgres
  • Cloudflare — DNS, CDN, R2 storage (logos)
  • Stripe — payments
  • Resend — transactional email
  • Upstash — Redis (rate limiting + idempotency)
  • Inngest — background job orchestration
  • Tomorrow.io — weather alerts (only when enabled)
  • Sentry / Axiom (EU) — error + log telemetry

Retention

Operational data lives 2 years after your last interaction. Billing-adjacent records (bookings with prices, payment intent IDs, refunds) live 7 years to satisfy HMRC. After erasure your name, email, and phone are removed; the booking row stays linked to your (now-anonymous) user id so the financial history reconciles.